Exchange 2016 CU6 Released

Exchange 2016 CU6 has been released to the Microsoft download centre! Exchange 2016 has a different servicing strategy than Exchange 2007/2010 and utilises Cumulative Updates (CUs) rather than the Rollup Updates (RU/UR) which were used previously. CUs are a complete installation of Exchange 2016 and can be used to install a fresh server or to update a previously installed one. Exchange 2013 has the same servicing methodology.

This is build 15.01.1034.026 of Exchange 2016 and the update is helpfully named ExchangeServer2016-x64-CU6.iso which allows us to easily identify the update. Details for the release are contained in KB 4012108.

Some Items For Consideration

Exchange 2016 follows the same servicing paradigm for Exchange 2013 which was previously discussed on the blog. The CU package can be used to perform a new installation, or to upgrade an existing Exchange Server 2016 installation to this CU. Cumulative Updates are well, cumulative. What else can I say…

For customers with a hybrid Exchange deployment, must keep their on-premises Exchange servers updated to the latest update or the one immediately prior ( N or N-1).

Test the CU in a lab which is representative of your environment

Review this post to also factor in AD preparation which is to be done ahead of installing the CU onto the first Exchange server

Provide appropriate notifications as per your process. This may be to IT teams, or to end users.

After you install this cumulative update package, you cannot uninstall the cumulative update package to revert to an earlier version of Exchange 2016. If you uninstall this cumulative update package, Exchange 2016 is removed from the server.

Place the server into SCOM maintenance mode prior to installing, confirm the install then take the server out of maintenance mode

Place the server into Exchange maintenance mode prior to installing, confirm the install then take the server out of maintenance mode

I personally like to restart prior to installing CU. This helps identifies if an issue was due to the CU or happened in this prior restart, and also completes any pending file rename operations. 3rd party AV products are often guilty of this

Restart the server after installing the CU

Ensure that all the relevant services are running

Ensure that event logs are clean, with no errors

Ensure that you consult with all 3rd party vendors which exist as part of your messaging environment. This includes archive, backup, mobility and management services.

Ensure that you do not forget to install this update on management servers, jump servers/workstations and application servers where the management tools were installed for an application. FIM and 3rd party user provisioning solutions are examples of the latter.

Ensure that the Windows PowerShell Script Execution Policy is set to “Unrestricted” on the server being upgraded or installed. See KB981474.

Disable file system antivirus prior to installing. Do this through the appropriate console. Typically this will be a central admin console, not the local machine.

Verify file system antivirus is actually disabled

Once server has been restarted, re-enable file system antivirus.

Note that customised configuration files are overwritten on installation. Make sure you have any changes fully documented!

CU6 does contain new AD Schema updates for your organisation.

Please enjoy the update responsibly!

What do I mean by that? Well, you need to ensure that you are fully informed about the caveats with the CU and are aware of all of the changes that it will make within your environment. Additionally you will need to test the CU your lab which is representative of your production environment.

Apparently No Schema updates only the version number got increased. All Schema updates were pulled from CU6 and will include in the CU7 release. With that said because of the Schema version increment, you still have to run through the Schema Update/AD Prep.

Same problem here.
CU6 breaks OWA! ASP.NET error in application log. (1309).
Sais something about Security certificate is absent.
Found out that the Exchange Server Auth Certificate is missing after the Update.
Recreating the Cert und reassigning with Set-AuthCertificate did not improve anything.
Had this Problem last week on a brand new installation as well as on a upgrade from CU4 to CU6.

I think that there must be something really wrong with CU6!
Any others out there with the same problem?

hi there
i have found out the following. changing the timezone of the machine so it matches the same time displayed on the errorpage “something went wrong”
there was a 2 hours mismatch so i changed to a different timezone..
and after that it worked.. what the hell….??

Hi Rhoderick
I have a few questions for you.
1. A while back a saw some articles on google NOT recommending installation of exchange 2016 on server 2016 OS. It was something about the IIS crashing constantly – or something related.

Same problem here.
CU6 breaks OWA! ASP.NET error in application log. (1309).
Sais something about Security certificate is absent.
Found out that the Exchange Server Auth Certificate is missing after the Update.
Recreating the Cert und reassigning with Set-AuthCertificate did not improve anything.
Had this Problem last week on a brand new installation as well as on a upgrade from CU4 to CU6.

I think that there must be something really wrong with CU6!
Any others out there with the same problem?

Hi Morton,
thanks for your reply.
I have checked that already. web.config exists and is alright.
Tried also to copy it from the mention location (overwriting the existing one) but that did not help either.

the (ASP.NET Event ID 1309 event code 3005) OWA Problem could be solved, if you check for the “OAuth Certificate” with friendly name “Microsoft Exchange Server Auth Certificate” and creates them again if is not present!?

Check for Event Log Warnings:

“MSExchange OAuth” mit der Event-ID 2004
“Unable to find the certificate with thumbprint xxxxxxxxxxxxxxx in the current computer or the certificate is missing private key. The certificate is needed to sign the outgoing token.”

Thanks for this! I’ve been working on this since like June 30th or something, and the Set-AuthConfig Certificate stuff ended up being the answer. I imagine there are going to be a fair amount of angry people out there if this CU breaks their Exchange though.

Hi morty,
recreating OWA / ECP virtual directories did not fix the issue.
We even did a complete uninstall an reinstall of the exchange server. No luck.
Finally we build up the domain from scratch (only 20 Users) and installed CU5 without any problems!
This really sucks!

Hello,
I had the same problem, OWA and ECP breaks. It was both a problem of certificate deleted for the ssl part and a probleme with the authorizations of the virtual directories. You need to check that the backend ecp /Owa have the correct ones and default web site as well.

The problem has been solved.
We had opened a support case at microsoft.
They troubleshooted with one of our employees 2 times. Without a solution.
After an internal escalation at microsoft they found the solution.
The web.config file gets somehow corrupted or gets wrong entries.

I have no further details so far but I will check out what the exact cause was.
I’ll keep you updated.

I don’t dare install CU6 until we feel comfortable that LaggedCopies are fixed from CU5…
Did anyone have this issue?

Another CU installed (CU5), another issue with Lagged Copies…
After installing CU5 (3 weeks ago), all 14day Lagged Copies are either ReplayQueue of 0 or Unhealthy with ReplayQueue of 10Ks
I removed one 14day LaggedCopy, deleted the dir files and recreated with 14day Lag and Pref4, wait for reseed…ReplayQueue back to 0
Any ideas?? We got burned on CU4 with LaggedCopies going into AutoSuspend (undocumented feature of CU4)

Problem with OWA was resolved wonderfully.
With Event ID 1305 (ASP.NET 4.0.30319.0 …Encryption certificate is absent…) i also have Event ID 2004 MSExchange OAuth (Unable to find the certificate with thumbprint ****** in the current computer or the certificate is missing private key. The certificate is needed to sign the outgoing token.).

What I have made:
1) By this (https://social.technet.microsoft.com/wiki/contents/articles/34914.exchange-troubleshooting-federation-or-auth-certificate-not-found.aspx) was solved problem with Event ID 2004
2) Start two inactive components:
(Set-ServerComponentState -Component ForwardSyncDaemon -Identity EXCHANGE-SERVER -Requester Functional -State Active
Set-ServerComponentState -Component ProvisioningRps -Identity EXCHANGE-SERVER -Requester Functional -State Active)
3) Restart IIS services (i have two EX2016 servers in DAG)
After about 2 hours OWA began work fine. No more Event ID 1309 and 2004. May be after restart exchange servers OWA began to work immediately.
OwaTooManyWebAppStartsMonitor now Healthy.

Thanks a ton for this. I was installing a new Hybrid 2016 server for a customer and because we still need this to be supported and for relay and for migration purpose. After installing a clean Exchange 2016 CU6 ISO i got these issues. Seems like bugs to me Microsoft!!!

In my lab, I was running CU5. I had some early on issues with that so I decided against pushing that in my production environment. Going from CU5 to CU6 in my lab was seemless and without issue; however, attempting to go from CU4 to CU6 in production won’t get past the pre-req check. The installer tells me I don’t have a mailbox server installed and the AD schema is not up to date.

After reading through all these comments, I have second thoughts about trying to patch my on-prem Exchange 2016 servers. Does anyone know if you can go straight from CU4 to CU6 or if you have to install CU5 first?

Hello after Update to Exchange 2016 CU6 i have a Problem with my Outlook Clients (2013 fully Patched)
The free Busy Information takes a very long time and sometimes i received no Information , the same for Out of Office here i get the “server unavailable”. Before the Update to CU6 i have no Problems ! Is it possible that the support for TLS 1.2 in cU6 has something to do with that ?

I confirm having the same issue with event IDs 2005 and 1309. OWA would present a login screen, then give me the “something went wrong” dialog instead of showing me my inbox. When looking for the above event IDs, be sure to check in the event viewer under “Windows Logs” > “Application” (I had mistakenly looked for them under “Applications and Services Logs” > “MSExchangeManagement” and found nothing relevant).

If you have the same event IDs, follow the above guide to the letter but don’t forget to substitute any references to “*.domain.com” with your environment’s domain. Restarting the IIS service after following the above guide fixed the issue for me without requiring a reboot or down time.

I hope this helps anyone who ends up in my shoes; it was a frustrating issue to troubleshoot following a successful cumulative update.

I find new bug of CU6, may be somebody help me. When i try enable transport rule witch curently disabled (Enable-TransportRule “xxxx”) i get warning:
WARNING: An unexpected error has occurred and a Watson dump is being generated:
SOFTWARE\Microsoft\MSIPC\CurrentVersion not found
SOFTWARE\Microsoft\MSIPC\CurrentVersion not found
+ CategoryInfo : NotSpecified: (:) [Enable-TransportRule], Exception
+ FullyQualifiedErrorId : System.Exception,Microsoft.Exchange.MessagingPolicies.Rules.Tasks.EnableTransportRule
+ PSComputerName : ex2016_server

Rule does not enabling…
Recreating rules does not fix the problem
Someone else has encountered such a problem?

Have you installed .net 4.7 ? in my case this was the reason! Uninstall 4.7 fixed the Problem with the EWS Erros ! i know this is not supported but i installed it automatically because it didnt checked the windows updated before installing 🙁 maybe in your case its the same

Microsoft says they can adjust the Bug .. they say there is a Problem with a Code limitation. The Developers are working on a solution but the MS Technican has no information how long does it take .. so we have to wait for a fix or a second revision of CU6

We still have problems With EWS, Out-of-Office and freebusy after upgrading to CU6. We have not installed .net 4.7. Even tried the updatecas.ps1 script with no success.
Seems like the EWS crashes all the time:

Hi,
we also have the same sympthoms like Daniel or Steve – free/busy is randomly not available or extremely slow, EWS access from Outlook for Mac or Apple Mail is slow or not present.
This behavior comes after Upgrade to CU6, a test installation with CU7 doesn’t fix it. Anyway in our testing environment this problem does not appear.

We got the same entries in the eventlog, additionally there are a lot of 401 errors in the Outlook for Mac debug log during the attempt to connect.

@Steve Minor, just a short question, you said there is an open case at microsoft – do they have any idea to solve our problem?

as promised, here is the solution for the problem from July 9th (CU6 breaks OWA). 🙂

——————
Symptom:
Customer has an Exchange 2013 and Exchange 2016, when an exchange 2016 user tries to log in to owa, he gets to the authentication screen, can be authenticated, and then gets error 500 – internal server error

Cause:
most probable cause is web.config file corruption

Resolution:
did research, all cases that I can find were pointing to corruption of web.config file under %Exchangeinstallpath%\ClientAccess\OWA , but we have already recreated this.

Decided to recreate it with a brand new file, and I copied the contents of it, created a new web.config file using notepad and pasted it in the new file. Ran iisreset. stll no go.

Tried to run .\updatecas.ps1 so that we can restore files in front end, if there are any stale entries of the old corrupted files.

Hi Rhoderick, I´m about to plan an upgrade of Exchange 2016 CU4 to CU6.
Besides maybe a full VMM Clone of this virtual server, what would your best suggestion and advise be, to a Fall Back plan for me, in case something goes wrong, during or after til update to Exchange 2016 CU6 ?

I know that the CU´s updates are different from I.e. the updates for Exchange 2010. The CU´s for both Exchange 2013 and Exchange 2016 are “fresh” or completely new installations, with the Exchange configuration applied after the CU. Unfortunately I´m not able to test the update for CU6 in a test environment, so I need a fall back plan when updating this exchange server in a production setup.